Microsoft has released security updates (SUs) for vulnerabilities found in:
IMPORTANT: Updates are released in a self-extracting auto-elevating .exe package. Please see this post for more information. Older version of update packages can be downloaded from Microsoft Update Catalog.
These SUs are available for the following specific builds of Exchange Server:
The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Addressing some of CVEs released this month requires admins to enable Windows Extended protection on your Exchange servers. To help you enable this feature, we have developed a script for this process. Please carefully evaluate your environment and review all known issues mentioned in the script documentation before enabling Windows Extended protection on your Exchange servers.
Please note that enabling Extended Protection (EP) is only supported on specific versions of Exchange (please see documentation for full list of prerequisites).
The current version of this script can be found at https://aka.ms/ExchangeEPScript and the documentation is at https://aka.ms/ExchangeEPDoc. The script provided to enable Extended Protection will automatically update itself and ask you to relaunch it as long as the computer on which it is executed on has an internet connection (direct or via proxy). However, if you don’t have internet access, make sure to download the latest version of the script as we are continuously improving it.
It is important that you fully understand Windows Extended Protection prerequisites and all known issues before running the script in your environment. Enabling Extended Protection affects communication between your Exchange servers and between clients and servers.
Update paths available:
Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).
Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.
If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
We are not aware of any known issues with this release.
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the August 2022 SUs do need to be installed on your on-premises Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after installing updates.
Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only the Management Tools role (no Exchange services) do not need these updates.
We skipped installation of May 2022 SU. Do we need to run /preparealldomains after we install the August SU?
When May 2022 SU was released, the /preparealldomains switch needed to be run manually to address a particular CVE. If you skipped the May 2022 SU and are going straight to August 2022 SU, you will still need to run /preparealldomains to address that particular CVE. Please see the May 2022 SU release post for more details. When in doubt, run HealthChecker which will tell you what you need to do!
Updates to this post:
The Exchange Server Team
The update replaces the update from May. In that one a PrepareAllDomains was necessary. Can I do the August update and then the PrepareAllDomains or do I have to do the May update first ?
What if we can't enable Windows Extended Protection because of one of the limitation mentioned in the documentation like SSL offloading. Are we just out of luck?
@Todd J Vanscoter Please keep checking the GitHub documentation page; we will be providing additional guidance related to SSL scenarios. We made it so GitHub documentation pages show the date of last update.
Hello @Nino Bilic
I am into this Extented Protection (EP) thing also, because we have had a lot of issues with it with ADFS in multi-forest environments (but worked it out with MS support). We run Netscalers and NSX load balancers in our environments, so have to work things out first regarding EP.
Question I have:
If we install the update now, but can't enable the EP at this time the infrastructure is update, but not fully mitigated against all the august CVE's right. So we can install the update for now. There are no components that require EP to be enabled to function. Correct? In other words: We can split the EP enabling action so it will be enabled later and go-on with updating the servers with the patch.
I will check EP topic regularly for updates, as well as this topic.
Thanks for your reply.
@christiaan-nl That is correct; enablement of EP is a separate action that needs to be taken AFTER August 2022 SUs are installed (and all of the other prereqs are met) but there is no specific time when it needs to be taken after SUs are installed.
*** Update: Answered questions on my own :)***
*** Update2: Tested different scenarios***
My Ex2019 CU12 with AUG patch has build:
Version: Exchange 2019 CU12
Build Number: 15.02.1118.010
Question 1: I can`t apply script for EP because revision is not 11 or 12 but 10
https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/ExchangeExtendedProtectionManagemen... --> Line: 244
Is this error? All other checks show: ConfigSupported: TRUE
MS re-uploaded correct EXE so now it`s OK
Question 2: We know about ssl offloading issue, what about ssl bridging?
SSL bridging works OK after I copied Letsencrypt cert from loadbalancer to Exchange. Got myself few scripts to automate this. After that enabled EP all fine.
EP excludes AutoDiscover virtual directories, so you can have different certs for autodiscover on loadbalancer and exchange:
autodiscover.domain.com and mail.domain.com on exchange and autodiscover.domain.com AND autodiscover.otherdomain.com on loadbalancer.
Tested and working with: OWA, different mobile devices, Outlook 2019/2021 on Windows 10.
Question 3: We have TLS 1.3 on load balancer and connect to backend DAG via SSL but use TLS 1.2, will this be issue?
Short answer: NO! It will work just fine as long as exchange and loadbalancer certs match.
CLIENT HTTPS TLS1.3 --> Loadbalancer --> EXCHANGE HTTPS TLS 1.2 == OK
I hope it helps someone :)
Forgive me, but with all the limitations here this seems not ready for prime time. It seems likely that most customers will hit at least one of these limitations which will prevent application.
Some of the issues that are preventing me from implementing...
Customers using a Retention Policy containing Retention Tags which perform Move to Archive actions should not configure Extended Protection, as enabling Extended Protection will cause automated archiving to stop working. We are actively working to resolve this issue.
If Public Folders exist on Exchange 2013 servers and Extended Protection is enabled, they will no longer appear and end users will be unable to access them
If you are using Modern Hybrid or the Hybrid Agent enabling Extended Protection will cause Hybrid features like Free/Busy and mailbox migration to stop working.
Extended Protection is not supported in environments that use SSL offloading. SSL termination during SSL offloading causes Extended Protection to fail
When I click on the security update download link for my version of Exchange on the page below, it brings me to the May 2022 SU.
is this the SU I have to install? Why does it have a release date of 05/10/22?
@ceantuco Yeah that seems broken, I'll get this fixed. Download links are in our blog post here too (and they are version specific). EDIT: should be fixed now.
Hello, if Extension Protection need ticked "Require SSL", is still compatible with HTTP to HTPPS redirect for Exchange?
In this guide (Configure http to https redirection for Outlook on the web in Exchange Server) in Exchange docs need to remove "Require SSL" from default website
Thanks for clarification.
Hi Nino, perhaps clarify non-necessity to install on Exchange 2019 CU12 Management Tools (recipient management) only deployments.
Hi @Nino Bilic,
can you please tell us regarding CVE-2022-30134 if User Interaction is required or not.
The Metric says no User Interaction is required, but FAQ says it is required.
@Alexander_Hossdorf Thanks, I reported to the security team.
@Michel de Rooij This is in the FAQ on this blog post. :)
@Alexander_Hossdorf @Nino Bilic
The link for Exchange 2019 CU 12 has a publication date of 08/05/22 instead of 08/09/22. is this okay? I want to make sure this isn't a testing/beta version of the update.
@ceantuco and @Alexander_Hossdorf EDIT: yes in fact we are uploading a newer version of CU12 SU. Sigh; I apologize, this was a slightly older build.
Thank you @Nino Bilic and @Alexander_Hossdorf
I did not think it was the European date format... I just thought it was weird an update released today had an older date.
@ceantuco You are correct; upon additional inspection, this WAS a wrong package; we are taking it offline and will upload the right one shortly. Sorry about that!
Hi Nino I have already installing this older build "yes i was guick" :) i hope it will not broke my Exchange19 CU 12
Hi @Nino Bilic,
in my opinion, this combination of Exchange vulnerabilities has the potential to do major damage again.
It would therefore be very helpful to learn more about the possible attack scenarios.
In my opinion, the current description is not sufficient for Defenders to initiate countermeasures.
As already described here, there will be some scenarios in which immediate protection will not be possible due to the prerequisites. For this reason, additional information would certainly be helpful.
@Nino Bilic thanks for the quick response. I will delete the file downloaded.
Also, is it mandatory to enable Extended Protection?
@ceantuco The issue is now resolved; due to caching, you might see an older update package but the new one will (and I just checked) have the date of publication from 8/9/2022.
And it is not mandatory to enable Extended Protection, but we recommend that you work to do so. The CVEs that refer to it will not be addressed until EP is enabled. But there is no "time requirement" here.
I have Public Folders, only like 2, on my single Exchange 2016 CU22. I don't care about the Public Folders, no one uses them anymore. Can I install the Aug SU safely and then run EP script? (I think it's a yes to Aug SU for sure, but EP mentions CU22 and Public Folders...)
@Nino Bilic thanks for the quick update! I will probably download it tomorrow.
Okay. I will look into enabling Extended protection.
@jordanl17 Yes it is totally "safe" to do; it's just that access to PFs might be impacted unless you are on the latest CU but it sounds like this is a good opportunity to do some house cleaning so...
@osozu You can safely uninstall the SU package and install the updated one; unlike CUs, SUs are easily uninstalled.
@Alexander_Hossdorf We are not aware of active exportation of any of this, hence we (or our MSRC team) do not have anything to provide as far as IOCs etc. at this time. And that is a good thing. Extended Protection is to counter potential for MitM style attacks.
@Nino Bilic I was install newer build over first files published and it seems that Exchange is working fine, i have not uninstall former patch
Hi @a7n8x in the guide (Configure http to https redirection for Outlook on the web in Exchange Server) we only clear the Require SSL check box on the Default Website not the virtual directories. Extended Protection is applied to the virtual directories and not to the default website. We have validated that this work before and after configuring Extended Protection. The Extended Protection document on GitHub shows which vDir setting the script modifies. Hope that helps!
Windows Extended Protection is a really big change, I bet this will break most currently deployed load balancing scenarios that uses layer 7 features.
I know that Microsoft will release more info on SSL offloading scenarios later but is it possible to get more info on the actual CVEs corrected by the Windows Extended Protection?
The Extended Protection documentation https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/ is a little confusing.
It states To enable Extended Protection on Exchange Server 2013, ensure you do not have any Public Folders on Exchange Server 2013. But that is under the heading Extended Protection cannot be enabled on Exchange Server 2013 servers with Public Folders in a coexistence environment (my emphasis).
So if you only have Exchange 2013 (yes I know, hopefully we are upgrading this year) will EP still affect Public Folders?
UPDATE: Thanks to @Lukas Sassl below for answering my query! We don't have a newer version of Exchange (yet!) so will either hold off enabling EP or see if we actually need any of the Public Folders we currently have.
The Exchange Security patching process seems to be getting more complex in terms requirements, especially for larger environments! May required PrepareDomain and now EP.
@Wess33 you can download the .msp file from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Home.aspx .
Just search for the KB.
@whatwaht the Public Folders are no longer visible to the end users once Extended Protection is enabled on Exchange server 2013 (if the Public Folder mailboxes are hosted on Exchange 2013). Therefore, we strongly recommend moving the mailboxes to an Exchange 2016 or 2019 server before enabling Extended Protection on Exchange server 2013.
The HealthChecker.ps1 say:
Security Vulnerability: CVE-2022-21978 Install the May 2022 SU and run /PrepareDomain or /PrepareAllDomains - See: https://aka.ms/HC-May22SU
But i have install the KB5015321 (what replaces the May update) and run PrepareAllDomains without problems.
Please let us know what are the actual CVEs are being corrected by the Windows Extended Protection?
You do not need to go via the May update; August update contains all the things from May.
Are you 100% positive that when updating from 2016 CU23 to August SU (thus skipping May SU) you do not need to run PrepareAllDomain? I see contradictory information regarding this.
The FAQ/Install instructions should state clearly if it is needed or not.
One more question.
We have 2019 on prem and Teams calendar integration. Will EP affect this scenario?
There's a known issue with Extended Protection and Retention Policies / Archiving right now, which you are actively working on per the article. Is only Archiving to the Cloud affected or also if the Archives are hosted on Premises?
I have read the all the information about the the SU and Extended Protection - Microsoft - CSS-Exchange but it not clear if EP can be enabled with Exchange classic Hybrid Topology or am i missing something
Does enabling Extended Protection apply to the Exchange Transport role? The script fails on AD check, obviously for now. Was it intended?
@mykel1982 Please check the Security Update Guide; CVEs that require Extended Protection will be marked with that in the FAQ. MSRC team documents this in CVEs.
@ex887 Our SUs are cumulative. But in May, you needed to run /preparealldomains manually after installation. This (and any other manual action) still needs to be done after August 2022 SU installation if it was not done after May 2022 SU. If /preparealldomains was run after May 2022 SU, you do not need to re-run it after August 2022 SU. I have addd a FAQ to the blog post now on this.
@Martin_Aigner EDIT: only on-prem.
@DavidH38 Modern Hybrid only, as per this.
@piwex69 It depends on what you mean by "Exchange Transport role". Assuming you mean the Edge role (as opposed to transport on any mailbox server) then no, EP does not apply to Edge servers as per this.
@Tonibert Ah yes, thanks for calling that out; will work with the team to get this download page wording updated.
The FAQ for the security update mentions that it is not required for the Exchange Management Tools Only role, but does not mention whether this update is required for Exchange Edge Transport role. I realize EP doesn't apply to the Edge role, but should the security update itself still be installed on Edge servers?
@AdamBKing Seeing that not all the CVEs are related to EP, yes, the SU itself does apply to Edge also.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.